From 28ac0b12fb0231bcaf60b63df5c690ec2f87cf41 Mon Sep 17 00:00:00 2001 From: Laukik Hase Date: Wed, 4 May 2022 18:08:54 +0530 Subject: [PATCH] mbedtls: Remove deprecated options from mbedtls/esp_config.h - Removed options related to RC4 ciphersuite, SSL3 and TLS1 (as per mbedtls v3.1.0) --- components/mbedtls/Kconfig | 17 ---- .../mbedtls/port/include/mbedtls/esp_config.h | 98 +++---------------- components/wpa_supplicant/CMakeLists.txt | 6 +- 3 files changed, 16 insertions(+), 105 deletions(-) diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index 9ac8eb903b..ba0e294a79 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -726,23 +726,6 @@ menu "mbedTLS" 3DES is vulnerable to the Sweet32 attack and should only be enabled if absolutely necessary. - choice MBEDTLS_RC4_MODE - prompt "RC4 Stream Cipher (legacy, insecure)" - default MBEDTLS_RC4_DISABLED - help - ARCFOUR (RC4) stream cipher can be disabled entirely, enabled but not - added to default ciphersuites, or enabled completely. - - Please consider the security implications before enabling RC4. - - config MBEDTLS_RC4_DISABLED - bool "Disabled" - config MBEDTLS_RC4_ENABLED_NO_DEFAULT - bool "Enabled, not in default ciphersuites" - config MBEDTLS_RC4_ENABLED - bool "Enabled" - endchoice - config MBEDTLS_BLOWFISH_C bool "Blowfish block cipher (read help)" default n diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 47db5830e1..44f26cffac 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -290,43 +290,6 @@ #define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN #define MBEDTLS_CIPHER_PADDING_ZEROS -/** - * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES & MBEDTLS_ARC4_C - * - * MBEDTLS_ARC4_C - * Enable the ARCFOUR stream cipher. - * - * This module enables/disables the following ciphersuites - * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA - * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA - * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA - * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA - * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA - * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 - * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA - * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA - * - * MBEDTLS_REMOVE_ARC4_CIPHERSUITES - * This flag removes the ciphersuites based on RC4 from the default list as - * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to - * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them - * explicitly. - * - * Uncomment this macro to remove RC4 ciphersuites by default. - */ -#ifdef CONFIG_MBEDTLS_RC4_ENABLED -#define MBEDTLS_ARC4_C -#undef MBEDTLS_REMOVE_ARC4_CIPHERSUITES -#elif defined CONFIG_MBEDTLS_RC4_ENABLED_NO_DEFAULT -#define MBEDTLS_ARC4_C -#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES -#else -#undef MBEDTLS_ARC4_C -#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES -#endif - /** * \def MBEDTLS_ECP_RESTARTABLE * @@ -529,7 +492,6 @@ * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA */ #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_PSK #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED @@ -557,7 +519,6 @@ * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA */ #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED @@ -581,7 +542,6 @@ * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA */ #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED @@ -610,7 +570,6 @@ * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA */ #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK #define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED @@ -641,8 +600,6 @@ * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA - * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 */ #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED @@ -701,7 +658,6 @@ * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA */ #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED @@ -729,7 +685,6 @@ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */ #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED @@ -746,7 +701,6 @@ * * This enables the following ciphersuites (if other requisites are * enabled as well): - * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA @@ -774,7 +728,6 @@ * * This enables the following ciphersuites (if other requisites are * enabled as well): - * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA @@ -1071,41 +1024,6 @@ #undef MBEDTLS_SSL_KEEP_PEER_CERTIFICATE #endif -/** - * \def MBEDTLS_SSL_PROTO_TLS1 - * - * Enable support for TLS 1.0. - * - * Requires: MBEDTLS_MD5_C - * MBEDTLS_SHA1_C - * - * Comment this macro to disable support for TLS 1.0 - */ -#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1 -#define MBEDTLS_SSL_PROTO_TLS1 -#else -#undef MBEDTLS_SSL_PROTO_TLS1 -#endif - -/** - * \def MBEDTLS_SSL_PROTO_SSL3 - * - * Enable support for SSL 3.0. - * - * Requires: MBEDTLS_MD5_C - * MBEDTLS_SHA1_C - * - * \deprecated This option is deprecated and will be removed in a future - * version of Mbed TLS. - * - * Comment this macro to disable support for SSL 3.0 - */ -#ifdef CONFIG_MBEDTLS_SSL_PROTO_SSL3 -#define MBEDTLS_SSL_PROTO_SSL3 -#else -#undef MBEDTLS_SSL_PROTO_SSL3 -#endif - /** * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING * @@ -1393,7 +1311,7 @@ * * Requires: MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ -#if defined MBEDTLS_SSL_MAX_FRAGMENT_LENGTH && CONFIG_MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH +#ifdef CONFIG_MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH #define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH #else #undef MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH @@ -1787,6 +1705,19 @@ #undef MBEDTLS_DES_C #endif +/** + * \def MBEDTLS_ARC4_C + * + * NOTE: mbedTLS-3.x release has removed support for RC4 cipher-suite. + * TODO: IDF-4983 + * + * Following option is kept as there are a few places in the + * WPA supplicant component in ESP-IDF that relies on this config. + * This shall be removed once the RC4 cipher-suite support is cleanly + * removed from WPA supplicant component. + */ +#undef MBEDTLS_ARC4_C + /** * \def MBEDTLS_DHM_C * @@ -2151,7 +2082,6 @@ * Caller: library/pkparse.c * * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C - * Can use: MBEDTLS_ARC4_C * * This module enables PKCS#12 functions. */ diff --git a/components/wpa_supplicant/CMakeLists.txt b/components/wpa_supplicant/CMakeLists.txt index 140bcb8169..8987aba14d 100644 --- a/components/wpa_supplicant/CMakeLists.txt +++ b/components/wpa_supplicant/CMakeLists.txt @@ -95,10 +95,8 @@ if(CONFIG_WPA_MBEDTLS_CRYPTO) "esp_supplicant/src/crypto/crypto_mbedtls-bignum.c" "esp_supplicant/src/crypto/crypto_mbedtls-rsa.c" "esp_supplicant/src/crypto/crypto_mbedtls-ec.c") - # Add internal RC4 if RC4 is disabled in mbedtls - if(CONFIG_MBEDTLS_RC4_DISABLED) - set(crypto_src ${crypto_src} "src/crypto/rc4.c") - endif() + # Add internal RC4 as RC4 has been removed from mbedtls + set(crypto_src ${crypto_src} "src/crypto/rc4.c") if(NOT CONFIG_MBEDTLS_DES_C) set(crypto_src ${crypto_src} "src/crypto/des-internal.c") endif()